How to enable TLSv1.3 on apache2?
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 2 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 2 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 2 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
apache-httpd ssl
edited 2 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
edited 2 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
edited 2 mins ago
Vlastimil
8,1011464139
edited 2 mins ago
Vlastimil
8,1011464139
edited 2 mins ago
Vlastimil
8,1011464139
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
18114
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
4 Answers
4
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 8 mins ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 6 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
You might use this PPA:
sudo add-apt-repository ppa:ondrej/apache2
Current version is:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLS 1.3 is supported.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result:
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.
As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.
Notes, too long for a comment:
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.
Your ciphers are wrong.
Please use (excerpt from my answer on Webmasters):
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.
You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.
TLS 1.1 is no longer mandatory.
- You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-on-apache2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 8 mins ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 8 mins ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 8 mins ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 8 mins ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
edited 8 mins ago
Vlastimil
8,1011464139
edited 8 mins ago
Vlastimil
8,1011464139
edited 8 mins ago
Vlastimil
8,1011464139
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
1595
add a comment |
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 6 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 6 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 6 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 6 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
edited 6 mins ago
Vlastimil
8,1011464139
edited 6 mins ago
Vlastimil
8,1011464139
edited 6 mins ago
Vlastimil
8,1011464139
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
6913
add a comment |
add a comment |
You might use this PPA:
sudo add-apt-repository ppa:ondrej/apache2
Current version is:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLS 1.3 is supported.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result:
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
You might use this PPA:
sudo add-apt-repository ppa:ondrej/apache2
Current version is:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLS 1.3 is supported.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result:
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
You might use this PPA:
sudo add-apt-repository ppa:ondrej/apache2
Current version is:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLS 1.3 is supported.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result:
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
You might use this PPA:
sudo add-apt-repository ppa:ondrej/apache2
Current version is:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLS 1.3 is supported.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result:
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
edited Oct 29 '18 at 4:00
Vlastimil
8,1011464139
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.
As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.
Notes, too long for a comment:
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.
Your ciphers are wrong.
Please use (excerpt from my answer on Webmasters):
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.
You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.
TLS 1.1 is no longer mandatory.
- You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
add a comment |
As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.
As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.
Notes, too long for a comment:
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.
Your ciphers are wrong.
Please use (excerpt from my answer on Webmasters):
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.
You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.
TLS 1.1 is no longer mandatory.
- You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
add a comment |
As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.
As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.
Notes, too long for a comment:
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.
Your ciphers are wrong.
Please use (excerpt from my answer on Webmasters):
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.
You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.
TLS 1.1 is no longer mandatory.
- You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.
As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.
Notes, too long for a comment:
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.
Your ciphers are wrong.
Please use (excerpt from my answer on Webmasters):
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.
You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.
TLS 1.1 is no longer mandatory.
- You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
edited Oct 29 '18 at 4:05
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
answered May 12 '18 at 6:26
VlastimilVlastimil
8,1011464139
8,1011464139
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
add a comment |
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)
– Michael Fever
Oct 6 '18 at 23:03
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.
– Michael Fever
Oct 25 '18 at 23:28
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-on-apache2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38